MacRoberts e-update 13/01/10
A HEAVY PRICE TO PAY FOR DATA PROTECTION BREACHES
Further to our e-update "500,000 Reasons for Data Controllers to be careful", the Ministry of Justice has published the outcome of its consultation into fixing a higher monetary penalty for serious breaches of the data protection principles under the Data Protection Act 1998. It has concluded that there should be a maximum fine of £500,000, and it is expected that this provision will come into force on 6 April 2010.
The potential penalty can apply to data controllers found guilty of a serious contravention of the data protection principles, where substantial damage or distress was likely to be caused, and either:
- the contravention was deliberate, or
- the data controller knew or ought to have known that the breach was likely to occur and failed to take reasonable steps to prevent it from occurring.
It should be noted that the Information Commissioner's Office will be able to impose these sanctions on any data controller, in other words all public sector bodies, private sector organisations, charities and any other organisation that processes personal data will be caught should they fall foul - there are no data controller exceptions. The government is also likely to introduce custodial sentences for serious Data Protection breaches later this year, with the consultation responses on that issue currently under review by the Ministry of Justice.
These new powers demonstrate a tougher stance by the ICO towards data protection breaches, and while the Information Commissioner Christopher Graham has stated his commitment to co-operating with public, private and third sector bodies to ensure compliance, he "will not hesitate to use these tough new sanctions for the most serious cases where organisations disregard the law."
This new power does not mean that offenders will be hit with fines whenever there is a breach of the data protection principles. The ICO will consider any possible mitigating factors, such as whether it was a first offence, the seriousness of the contravention, the likelihood of damage or distress, and what steps had already been put in place to prevent breaches. There will also be a 20% discount for those who pay their fine within 28 days of receiving a monetary penalty notice.
MacRoberts was one of the 52 respondents to the consultation paper; to view the MacRoberts
consultation response click here.
You can view the Ministry of Justice's summary of the responses here:
MacRoberts offers comprehensive advice on all data protection matters to public, private and third sector bodies. For further information, please contact David Flint or Valerie Surgenor on 0141 332 9988.
© MacRoberts 2010
To register for MacRoberts e-updates on a variety of legal topics, please click here.